OKD provides an
authentication
provider for use with Lightweight Directory Access Protocol (LDAP) setups, but
it can connect to only a single LDAP server. During OKD installation,
you can configure the System Security
Services Daemon (SSSD) for LDAP failover to ensure access to your cluster if one
LDAP server fails.

The setup for this configuration is advanced and requires a separate
authentication server, also called an remote basic authentication server, for
OKD to communicate with. You configure this server
to pass extra attributes, such as email addresses, to OKD so it can
display them in the web console.

This topic describes how to complete this set up on a dedicated physical or
virtual machine (VM), but you can also configure SSSD in containers.

You must complete all sections of this topic.

Prerequisites for configuring basic remote authentication

Before starting setup, you need to know the following information about your
LDAP server:

Whether the directory server is powered by
FreeIPA, Active Directory, or another
LDAP solution.

The Uniform Resource Identifier (URI) for the LDAP server, for example,
ldap.example.com.

The location of the CA certificate for the LDAP server.

Whether the LDAP server corresponds to RFC 2307 or RFC2307bis for user groups.

Prepare the servers:

remote-basic.example.com: A VM to use as the remote basic authentication server.

Select an operating system that includes SSSD version 1.12.0 for this server
such as Red Hat Enterprise Linux 7.0 or later.

openshift.example.com: A new installation of OKD.

You must not
have an authentication method configured for this cluster.

Do not start OKD on this cluster.

Generating and sharing certificates with the remote basic authentication server

Complete the following steps on the first master host listed in the Ansible host inventory file,
by default /etc/ansible/hosts.

To ensure that communication between the remote basic authentication server and
OKD is trustworthy, create a set of Transport Layer Security (TLS)
certificates to use during the other phases of this set up. Run the following command:

A comma-separated list of all the host names and interface IP addresses that need to access the
remote basic authentication server.

The certificate files that you generate are valid for two years. You can alter
this period by changing the --expire-days and --signer-expire-days values,
but for security reasons, do not make them greater than 730.

If you do not list all host names and interface IP addresses that need to access the
remote basic authentication server, the HTTPS connection will fail.

Copy the necessary certificates and key to the remote basic authentication server:

Configuring SSSD for LDAP failover

Complete these steps on the remote basic authentication server.

You can configure the SSSD to retrieve attributes, such as email addresses and
display names, and pass them to OKD to display in the web interface.
In the following steps, you configure the SSSD to provide email addresses to
OKD:

To use SSSD to manage failover situations for LDAP, add more entries to the
/etc/sssd/sssd.conf file on the ldap_uri line. Systems that are
enrolled with FreeIPA can automatically handle failover by using DNS SRV records.

Modify the [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file
and add this attribute:

[domain/example.com]
...
ldap_user_extra_attrs = mail (1)

1

Specify the correct attribute to retrieve email addresses for your LDAP
solution. For IPA, specify mail. Other LDAP solutions might use another
attribute, such as email.

Confirm that the domain parameter in the /etc/sssd/sssd.conf file
contains only the domain name listed in the [domain/DOMAINNAME] section.

domains = example.com

Grant Apache permission to retrieve the email attribute. Add the following
lines to the [ifp] section of the /etc/sssd/sssd.conf file:

Configuring Apache to use SSSD

Create a /etc/pam.d/openshift file that contains the
following contents:

auth required pam_sss.so
account required pam_sss.so

This configuration enables PAM, the pluggable authentication module, to use
pam_sss.so to determine authentication and access control when an
authentication request is issued for the openshift stack.

Edit the /etc/httpd/conf.modules.d/55-authnz_pam.conf file and uncomment
the following line:

LoadModule authnz_pam_module modules/mod_authnz_pam.so

To configure the Apache httpd.conf file for remote basic authentication,
create the openshift-remote-basic-auth.conf file in the
/etc/httpd/conf.d directory. Use the following template to provide your
required settings and values:

Carefully review the template and customize its contents to fit your
environment.